[Snort-users] Specific rule for bandwidth

Gabriel Corre gabriel.corre at ...17281...
Tue Sep 15 03:24:11 EDT 2015


I would like to use "stream_size" as a bandwidth controller. Thus I created this rule to test its functionality:
alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8"; sid:1000000001;)
I would like to know if "stream_size" is reset when the alert is triggered or it still count the number of bytes observed?

The doc says : "The stream size keyword allows a rule to match traffic according to the number of bytes observed, as determined by
the TCP sequence numbers." It doesn't pinpoint this aspect and I'm not about my bandwidth test.



Gabriel Corré
Élève Ingénieur Sécurité & Réseaux, Ops - Core Infrastructure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150915/8ddb69e6/attachment.html>

More information about the Snort-users mailing list